CVE-2025-30036

Stored XSS vulnerability exists in the "Oddział" (Ward) module, in the death diagnosis description field, and allows the execution of arbitrary JavaScript code. This can lead to session hijacking of other users and potentially to privilege escalation up to full administrative rights.

CVSS

No CVSS.

References

Link	Resource
https://cert.pl/en/posts/2025/08/CVE-2025-2313/

Configurations

No configuration.

History

29 Aug 2025, 16:24

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad XSS almacenado en el módulo "Oddzia?" (Sala), en el campo de descripción del diagnóstico de fallecimiento, que permite la ejecución de código JavaScript arbitrario. Esto puede provocar el secuestro de sesiones de otros usuarios y, potencialmente, la escalada de privilegios hasta alcanzar derechos administrativos completos.

27 Aug 2025, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-27 11:15

Updated : 2025-08-29 16:24

NVD link : CVE-2025-30036

Mitre link : CVE-2025-30036

CVE.ORG link : CVE-2025-30036

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-30036", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-27T11:15:32.353", "references": [{"url": "https://cert.pl/en/posts/2025/08/CVE-2025-2313/", "source": "cvd@cert.pl"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Stored XSS vulnerability exists in the \"Oddzia\u0142\" (Ward) module, in the death diagnosis description field, and allows the execution of arbitrary JavaScript code. This can lead to session hijacking of other users and potentially to privilege escalation up to full administrative rights."}, {"lang": "es", "value": "Existe una vulnerabilidad XSS almacenado en el m\u00f3dulo \"Oddzia?\" (Sala), en el campo de descripci\u00f3n del diagn\u00f3stico de fallecimiento, que permite la ejecuci\u00f3n de c\u00f3digo JavaScript arbitrario. Esto puede provocar el secuestro de sesiones de otros usuarios y, potencialmente, la escalada de privilegios hasta alcanzar derechos administrativos completos."}], "lastModified": "2025-08-29T16:24:09.860", "sourceIdentifier": "cvd@cert.pl"}